<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title></title>
	<link rel="stylesheet" type="text/css" href="http://paranoid.net.cn/semantic.css" >
</head>
<body>
<subsection-title-en>3.2 Cryptographic Constructs</subsection-title-en>
<subsection-title-ch>3.2 密码学构造</subsection-title-ch>
<p-en>
	This section summarizes two constructs that are built on the cryptographic primitives described in §3.1, and are used in the rest of this work.
</p-en>
<p-ch>
	本节总结了建立在 §3.1 中描述的密码学基元上的两个构造，并在本文的其余部分使用。
</p-ch>
<subsubsection-title-en>3.2.1 Certificate Authorities</subsubsection-title-en>
<subsubsection-title-ch>3.2.1 证书权威</subsubsection-title-ch>

<p-en>
	Asymmetric key cryptographic primitives assume that each party has the correct public keys for the other parties. This assumption is critical, as the entire security argument of an asymmetric key system rests on the fact that certain operations can only be performed by the owners of the private keys corresponding to the public keys. More concretely, if Eve can convince Bob that her own public key belongs to Alice, Eve can produce message signatures that seem to come from Alice.
</p-en>
<p-ch>
	非对称钥加密基元假定每一方都拥有其他各方的正确公钥。这个假设是至关重要的，因为非对称密钥系统的整个安全论证都建立在这样一个事实上，即某些操作只能由对应于公钥的私钥的所有者来执行。更具体地说，如果Eve能让Bob相信自己的公钥是属于Alice的，那么Eve就能产生似乎来自Alice的消息签名。
</p-ch>
<p-en>
	The introductory material in §3.1 assumed that each party transmits their public key over a channel with integrity guarantees. In practice, this is not a reasonable assumption, and the secure distribution of public keys is still an open research problem.
</p-en>
<p-ch>
	§3.1中的介绍材料假设每一方都是在有完整性保证的信道上传输其公钥。实际上，这并不是一个合理的假设，公钥的安全分发仍然是一个有待研究的问题。
</p-ch>
<p-en>
	The most widespread solution to the public key distribution problem is the Certificate Authority (CA) system, which assumes the existence of a trusted authority whose public key is securely transmitted to all the other parties in the system.
</p-en>
<p-ch>
	解决公钥分发问题最广泛的方案是证书权威(CA)系统，它假定存在一个可信权威，其公钥安全地传送给系统中的所有其他各方。
</p-ch>
<p-en>
	The CA is responsible for securely obtaining the public key of each party, and for issuing a certificate that binds a party's identity (e.g., “Alice”) to its public key, as shown in Figure 47.
</p-en>
<p-ch>
	CA负责安全地获取各方的公钥，并负责签发证书，将一方的身份（如 "Alice"）与其公钥绑定，如图47所示。
</p-ch>
<img src="fig.47.jpg" width="" height="" alt="" />
<p-en>
	Figure 47: A certificate is a statement signed by a certificate authority (issuer) binding the identity of a subject to a public key.
</p-en>
<p-ch>
	图47. 证书是由证书权威（签发人）签署的声明，将主体的身份与公钥联系起来。
</p-ch>
<p-en>
	A certificate is essentially a cryptographic signature produced by the private key of the certificate's issuer, who is generally a CA. The message signed by the issuer states that a public key belongs to a subject. The certificate message generally contains identifiers that state the intended use of the certificate, such as “the key in this certificate can only be used to sign e-mail messages”. The certificate message usually also includes an identifier for the issuer's certification policy, which summarizes the means taken by the issuer to ensure the authenticity of the subject's public key.
</p-en>
<p-ch>
	证书实质上是由证书颁发者（一般是CA）的私钥所产生的密码学签名。发证者签署的消息声明某把公钥属于某个主体。证书消息一般包含说明证书用途的识别符，例如 "本证书中的钥只能用于对电子邮件进行签名"。证书消息通常还包括发证者的认证政策的标识符，该标识符概述了发证者为确保主体公钥的真实性而采取的手段。
</p-ch>
<p-en>
	A major issue in a CA system is that there is no obvious way to revoke a certificate. A revocation mechanism is desirable to handle situations where a party's private key is accidentally exposed, to avoid having an attacker use the certificate to impersonate the compromised party. While advanced systems for certificate revocation have been developed, the first line of defense against key compromise is adding expiration dates to certificates.
</p-en>
<p-ch>
	CA系统的一个主要问题是没有明显的方法来撤销证书。为了处理一方的私钥意外暴露的情况，最好有一个撤销机制，以避免攻击者利用证书冒充被泄露方。虽然先进的证书撤销系统已经被开发出来，但防止密钥泄露的第一道防线是在证书上添加到期日。
</p-ch>
<p-en>
	In a CA system, each party presents its certificate along with its public key. Any party that trusts the CA and has obtained the CA's public key securely can verify any certificate using the process illustrated in Figure 48.
</p-en>
<p-ch>
	在CA系统中，每一方都提交其证书及其公钥。任何信任该CA并安全地获得CA公钥的一方，都可以使用图48所示的过程验证任何证书。
</p-ch>
<img src="fig.48.jpg" width="" height="" alt="" />
<p-en>
	Figure 48: A certificate issued by a CA can be validated by any party that has securely obtained the CA's public key. If the certificate is valid, the subject public key contained within can be trusted to belong to the subject identified by the certificate.
</p-en>
<p-ch>
	图48: 任何一方只要安全地获得CA的公钥，就可以对CA签发的证书进行验证。如果证书是有效的，则可以相信其中所含的主体公钥属于证书所确定的主体。
</p-ch>
<p-en>
	One of the main drawbacks of the CA system is that the CA's private key becomes a very attractive attack target. This issue is somewhat mitigated by minimizing the use of the CA's private key, which reduces the opportunities for its compromise. The authority described above becomes the root CA, and their private key is only used to produce certificates for the intermediate CAs who, in turn, are responsible for generating certificates for the other parties in the system, as shown in Figure 49.
</p-en>
<p-ch>
	CA系统的主要缺点之一是CA的私钥成为一个非常有吸引力的攻击目标。通过尽量减少CA私钥的使用，可以在一定程度上缓解这一问题，从而减少其被泄露的机会。如图49所示，上述权威成为根CA，他们的私钥只用于为中间CA生成证书，而中间CA又负责为系统中其他各方生成证书。
</p-ch>
<img src="fig.49.jpg" width="" height="" alt="" />
<p-en>
	Figure 49: A hierarchical CA structure minimizes the usage of the root CA's private key, reducing the opportunities for it to get compromised. The root CA only signs the certificates of intermediate CAs, which sign the end users' certificates.
</p-en>
<p-ch>
	图49: 层次化的CA结构可以最大限度地减少根CA私钥的使用，减少其被泄露的机会。根CA只对中间CA的证书进行签名，而中间CA则对最终用户的证书进行签名。
</p-ch>
<p-en>
	In hierarchical CA systems, the only public key that gets distributed securely to all the parties is the root CA's public key. Therefore, when two parties wish to interact, each party must present their own certificate, as well as the certificate of the issuing CA. For example, given the hierarchy in Figure 49, Alice would prove the authenticity of her public key to Bob by presenting her certificate, as well as the certificate of Intermediate CA 1. Bob would first use the steps in Figure 48 to validate Intermediate CA 1's certificate against the root CA's public key, which would assure him of the authenticity of Intermediate CA 1's public key. Bob would then validate Alice's certificate using Intermediate CA 1's public key, which he now trusts.
</p-en>
<p-ch>
	在层次化CA系统中，唯一能安全分发到各方的公钥是根CA的公钥。因此，当两方希望进行交互时，每一方都必须出示自己的证书，以及发行CA的证书。例如，给定图49中的层次结构，Alice将通过提交她的证书以及中间CA 1的证书来向Bob证明她的公钥的真实性。Bob将首先使用图48中的步骤将中间CA 1的证书与根CA的公钥进行验证，这将保证他的中间CA 1的公钥的真实性。然后Bob会使用中间CA 1的公钥来验证Alice的证书，现在他信任Alice。
</p-ch>
<p-en>
	In most countries, the government issues ID cards for its citizens, and therefore acts as as a certificate authority. An ID card, shown in Figure 50, is a certificate that binds a subject's identity, which is a full legal name, to the subject's physical appearance, which is used as a public key.
</p-en>
<p-ch>
	在大多数国家，政府为其公民颁发身份证，因此充当证书权威。图50所示的身份证是一种证书，它将主体的身份（即完整的法定姓名）与主体的外貌联系起来，外貌被用作公钥。
</p-ch>
<img src="fig.50.jpg" width="" height="" alt="" />
<p-en>
	Figure 50: An ID card is a certificate that binds a subject's full legal name (identity) to the subject's physical appearance, which acts as a public key.
</p-en>
<p-ch>
	图50：身份证是将主体的法定全称(身份)与主体的外貌进行绑定的证书，外貌作为公钥。
</p-ch>
<p-en>
	The CA system is very similar to the identity document (ID card) systems used to establish a person's identity, and a comparison between the two may help further the reader's understanding of the concepts in the CA system.
</p-en>
<p-ch>
	CA系统与用于确定个人身份的身份证件(ID卡)系统非常相似，两者的比较可能有助于读者进一步理解CA系统中的概念。
</p-ch>
<p-en>
	Each government's ID card issuing operations are regulated by laws, so an ID card's issue date can be used to track down the laws that make up its certification policy. Last, the security of ID cards does not (yet) rely on cryptographic primitives. Instead, ID cards include physical security measures designed to deter tampering and prevent counterfeiting.
</p-en>
<p-ch>
	每个政府的身份证发放业务都有法律规定，所以身份证的发放日期可以用来追踪构成其认证政策的法律。最后，ID卡的安全性并不（还）依赖于加密基元。相反，ID卡包括旨在阻止篡改和防止伪造的物理安全措施。
</p-ch>
<subsubsection-title-en>3.2.2 Key Agreement Protocols</subsubsection-title-en>
<subsubsection-title-ch>3.2.2 钥同意协议</subsubsection-title-ch>

<p-en>
	The initial design of symmetric key primitives, introduced in §3.1, assumed that when two parties wish to interact, one party generates a secret key and shares it with the other party using a communication channel with confidentiality and integrity guarantees. In practice, a pre-existing secure communication channel is rarely available.
</p-en>
<p-ch>
	§3.1中介绍的对称钥基元的最初设计，假定当双方希望进行交互时，一方生成一个密钥，并使用具有保密性和完整性保证的通信通道与另一方共享。在实践中，很少有预先存在的安全通信通道。
</p-ch>
<p-en>
	Key agreement protocols are used by two parties to establish a shared secret key, and only require a communication channel with integrity guarantees. Figure 51 outlines the Diffie-Hellman Key Exchange (DKE) [43] protocol, which should give the reader an intuition for how key agreement protocols work.
</p-en>
<p-ch>
	钥同意协议被双方用来建立一个共享的密钥，只需要一个有完整性保证的通信通道。图51概述了Diffie-Hellman密钥交换(DKE)[43]协议，此图应该能使读者对于钥同意协议如何工作有一个直观的认识。
</p-ch>
<img src="fig.51.jpg" width="" height="" alt="" />
<p-en>
	Figure 51: In the Diffie-Hellman Key Exchange (DKE) protocol, Alice and Bob agree on a shared secret key K = g^AB mod p. An adversary who observes g^A mod p and g^B mod p cannot compute K.
</p-en>
<p-ch>
	图51: 在Diffie-Hellman密钥交换（DKE）协议中，Alice和Bob商定了一个共享的密钥K=g^AB mod p，一个观察到g^A mod p和g^B mod p的敌人无法计算K。
</p-ch>
<p-en>
	This work is interested in using key agreement protocols to build larger systems, so we will neither explain the mathematic details in DKE, nor prove its correctness. We note that both Alice and Bob derive the same shared secret key, K = g^AB mod p, without ever transmitting K. Furthermore, the messages transmitted in DKE, namely g^A mod p and g^B mod p, are not sufficient for an eavesdropper Eve to determine K, because efficiently solving for x in g^x mod p is an open problem assumed to be very difficult.
</p-en>
<p-ch>
	本文感兴趣的是使用钥同意协议来构建更大的系统，所以我们既不会解释DKE中的数学细节，也不会证明其正确性。我们注意到，Alice和Bob都是在没有传输K的情况下推导出相同的共享秘钥，即K=g^AB mod p。此外，DKE中传输的消息，即g^A mod p和g^B mod p，并不足以让窃听者Eve确定K，因为有效地求解g^x mod p中的x是一个开放性问题，假设是非常困难的。
</p-ch>
<p-en>
	Key agreement protocols require a communication channel with integrity guarantees. If an active adversary Eve can tamper with the messages transmitted by Alice and Bob, she can perform a man-in-the-middle (MITM) attack, as illustrated in Figure 52.
</p-en>
<p-ch>
	钥同意协议需要一个具有完整性保证的通信通道。如果主动敌人Eve可以篡改Alice和Bob传输的消息，她就可以进行中间人（MITM）攻击，如图52所示。
</p-ch>
<img src="fig.52.jpg" width="" height="" alt="" />
<p-en>
	Figure 52: Any key agreement protocol is vulnerable to a manin-the-middle (MITM) attack. The active attacker performs key agreements and establishes shared secrets with both parties. The attacker can then forward messages between the victims, in order to observe their communication. The attacker can also send its own messages to either, impersonating the other victim.
</p-en>
<p-ch>
	图52: 任何钥同意协议都容易受到中间人攻击（MITM）。主动攻击者执行钥同意，并与双方建立共享秘密。然后，攻击者可以在受害者之间转发消息，以便观察他们的通信。攻击者也可以冒充另一个受害者，向其中一个受害者发送自己的信息。
</p-ch>
<p-en>
	In a MITM attack, Eve intercepts Alice's first key exchange message, and sends Bob her own message. Eve then intercepts Bob's response and replaces it with her own, which she sends to Alice. Eve effectively performs key exchanges with both Alice and Bob, establishing a shared secret with each of them, with neither Bob nor Alice being aware of her presence.
</p-en>
<p-ch>
	在MITM攻击中，Eve截获了Alice的第一次钥交换信息，并向Bob发送了自己的信息。然后，Eve截获Bob的回应，并将其替换为她自己的回应，再发送给Alice。Eve有效地与Alice和Bob进行了密钥交换，与他们每个人建立了共享的秘密，Bob和Alice都不知道她的存在。
</p-ch>
<p-en>
	After establishing shared keys with both Alice and Bob, Eve can choose to observe the communication between Alice and Bob, by forwarding messages between them. For example, when Alice transmits a message, Eve can decrypt it using K1, the shared key between herself and Alice. Eve can then encrypt the message with K2, the key established between Bob and herself. While Bob still receives Alice's message, Eve has been able to see its contents.
</p-en>
<p-ch>
	在与Alice和Bob建立共享钥后，Eve可以选择观察Alice和Bob之间的通信情况，在他们之间转发消息。例如，当Alice传送消息时，Eve可以用自己和Alice之间的共享钥K1对消息进行解密。然后，Eve可以用K2，也就是Bob和她自己之间建立的钥对信息进行加密。当Bob还在接收Alice的信息时，Eve已经能够看到信息的内容。
</p-ch>
<p-en>
	Furthermore, Eve can impersonate either party in the communication. For example, Eve can create a message, encrypt it with K2, and then send it to Bob. As Bob thinks that K2 is a shared secret key established between himself and Alice, he will believe that Eve's message comes from Alice.
</p-en>
<p-ch>
	此外，Eve可以在通信中冒充任何一方。例如，Eve可以创建一个消息，用K2加密，然后发送给Bob。由于Bob认为K2是自己和Alice之间建立的共享秘钥，所以他会认为Eve的信息来自Alice。
</p-ch>
<p-en>
	MITM attacks on key agreement protocols can be foiled by authenticating the party who sends the last message in the protocol (in our examples, Bob) and having them sign the key agreement messages. When a CA system is in place, Bob uses his public key to sign the messages in the key agreement and also sends Alice his certificate, along with the certificates for any intermediate CAs. Alice validates Bob's certificate, ensures that the subject identified by the certificate is whom she expects (Bob), and verifies that the key agreement messages exchanged between herself and Bob match the signature provided by Bob.
</p-en>
<p-ch>
	对钥同意协议的MITM攻击可以通过 鉴真 协议中发送最后一条消息的一方（在我们的例子中，Bob）并让他们签名 钥同意 消息 来挫败。当CA系统到位后，Bob使用他的公钥[<remark-ch>应该是私钥吧?</remark-ch>]来签名 钥同意协议 中的消息，同时也将他的证书以及任何中间CA的证书发送给Alice。Alice对Bob的证书进行验证，确保证书所标识的主体是她所期望的人（Bob），并验证她和Bob之间交换的 钥同意消息 与Bob提供的签名相匹配。
</p-ch>
<p-en>
	In conclusion, a key agreement protocol can be used to bootstrap symmetric key primitives from an asymmetric key signing scheme, where only one party needs to be able to sign messages.
</p-en>
<p-ch>
	总之，钥同意协议 可以用来从非对称钥签名方案中引导对称钥基元，其中只有一方需要能够签名消息。
</p-ch>

</body>
</html>	